From d965b0b4652b566b1f53be756c13190b958dd7fa Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 16 Apr 2019 17:09:43 -0500
Subject: [SECURITY] [API BREAKING CHANGE] Require logout token.

Special:Userlogout now requires a token

Api action=logout requires a csrf token and the request to be POSTed

Patch author: bawolff

Bug: T25227
Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774
---
 includes/api/ApiLogout.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'includes/api/ApiLogout.php')

diff --git a/includes/api/ApiLogout.php b/includes/api/ApiLogout.php
index c663d1e4bb23..39a96ac56308 100644
--- a/includes/api/ApiLogout.php
+++ b/includes/api/ApiLogout.php
@@ -59,13 +59,21 @@ class ApiLogout extends ApiBase {
 		Hooks::run( 'UserLogoutComplete', [ &$user, &$injected_html, $oldName ] );
 	}
 
+	public function mustBePosted() {
+		return true;
+	}
+
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	public function isReadMode() {
 		return false;
 	}
 
 	protected function getExamplesMessages() {
 		return [
-			'action=logout'
+			'action=logout&token=123ABC'
 				=> 'apihelp-logout-example-logout',
 		];
 	}
-- 
cgit v1.2.3